brcmfmac: how to setup SAE on RPi // Re: [PATCH] wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3
KeithG
ys3al35l at gmail.com
Thu Jun 27 04:34:59 PDT 2024
On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel
<arend.vanspriel at broadcom.com> wrote:
>
> On June 27, 2024 12:47:02 AM KeithG <ys3al35l at gmail.com> wrote:
>
> > On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
> > <arend.vanspriel at broadcom.com> wrote:
> >>
> >> On June 26, 2024 2:05:07 PM KeithG <ys3al35l at gmail.com> wrote:
> >>
> >>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
> >>> <arend.vanspriel at broadcom.com> wrote:
> >>>>
> >>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l at gmail.com> wrote:
> >>>>
> >>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
> >>>>> <arend.vanspriel at broadcom.com> wrote:
> >>>>>>
> >>>>>> + Jouni
> >>>>>>
> >>>>>> On 6/20/2024 8:25 PM, KeithG wrote:
> >>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
> >>>>>>> 0x18; available group 0x10
> >>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
> >>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
> >>>>>>> pairwise 0x10; available pairwise 0x10
> >>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
> >>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
> >>>>>>> key_mgmt 0x400; available key_mgmt 0x0
> >>>>>>
> >>>>>>
> >>>>>> I suspect the message above indicates the problem as there is no
> >>>>>> available key_mgmt to select so looked it up in the code and here it is:
> >>>>>>
> >>>>>> sel = ie.key_mgmt & ssid->key_mgmt;
> >>>>>> #ifdef CONFIG_SAE
> >>>>>> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
> >>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
> >>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie))
> >>>>>> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
> >>>>>> WPA_KEY_MGMT_FT_SAE |
> >>>>>> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
> >>>>>> #endif /* CONFIG_SAE */
> >>>>>> #ifdef CONFIG_IEEE80211R
> >>>>>> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
> >>>>>> WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
> >>>>>> sel &= ~WPA_KEY_MGMT_FT;
> >>>>>> #endif /* CONFIG_IEEE80211R */
> >>>>>> wpa_dbg(wpa_s, MSG_DEBUG,
> >>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
> >>>>>> available key_mgmt 0x%x",
> >>>>>> ie.key_mgmt, ssid->key_mgmt, sel);
> >>>>>>
> >>>>>> So 0x400 matches the expectation:
> >>>>>>
> >>>>>> #define WPA_KEY_MGMT_SAE BIT(10)
> >>>>>>
> >>>>>> You already confirmed that the driver reports SAE and SAE offload
> >>>>>> support. So it seems wpas_is_sae_avoided() must return true. That will
> >>>>>> check whether the AP and network profile are setup to MFP. This seems to
> >>>>>> be the fact as your hostapd.conf and wpa_supplicant.conf both have
> >>>>>> ieee80211w=2 defined. This function can only return true when
> >>>>>> is enabled in configuration file:
> >>>>>>
> >>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt
> >>>>>> # 0 = Do not check PMF for SAE (default)
> >>>>>> # 1 = Limit SAE when PMF is not enabled
> >>>>>> #
> >>>>>> # When enabled SAE will not be selected if PMF will not be used
> >>>>>> # for the connection.
> >>>>>> # Scenarios where this check will limit SAE:
> >>>>>> # 1) ieee80211w=0 is set for the network
> >>>>>> # 2) The AP does not have PMF enabled.
> >>>>>> # 3) ieee80211w is unset, pmf=1 is enabled globally, and
> >>>>>> # the device does not support the BIP cipher.
> >>>>>> # Consider the configuration of global parameterss sae_check_mfp=1,
> >>>>>> pmf=1 and a
> >>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
> >>>>>> # In the example WPA-PSK will be used if the device does not support
> >>>>>> # the BIP cipher or the AP has PMF disabled.
> >>>>>> # Limiting SAE with this check can avoid failing to associate to an AP
> >>>>>> # that is configured with sae_requires_mfp=1 if the device does
> >>>>>> # not support PMF due to lack of the BIP cipher.
> >>>>>>
> >>>>>> The default is not to check it and you wpa_supplicant.conf does not
> >>>>>> specify it.
> >>>>>>
> >>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> >>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> >>>>>> update_config=1
> >>>>>> network={
> >>>>>> ssid="deskSAE"
> >>>>>> sae_password="secret123"
> >>>>>> proto=RSN
> >>>>>> key_mgmt=SAE
> >>>>>> pairwise=CCMP
> >>>>>> ieee80211w=2
> >>>>>> }
> >>>>>>
> >>>>>> $ cat /etc/hostapd/hostapd.conf
> >>>>>> # interface and driver
> >>>>>> interface=ap0
> >>>>>> driver=nl80211
> >>>>>>
> >>>>>> # WIFI-Config
> >>>>>> ssid=deskSAE
> >>>>>> channel=1
> >>>>>> hw_mode=g
> >>>>>>
> >>>>>> wpa=2
> >>>>>> wpa_key_mgmt=SAE
> >>>>>> wpa_pairwise=CCMP
> >>>>>> sae_password=secret123
> >>>>>> sae_groups=19
> >>>>>> ieee80211w=2
> >>>>>> sae_pwe=0
> >>>>>>
> >>>>>> Regards,
> >>>>>> Arend
> >>>>>>
> >>>>>>
> >>>>>>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key
> >>>>>>> management type
> >>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
> >>>>>>> encryption suites
> >>>>>
> >>>>> Arend,
> >>>>>
> >>>>> I find the wpa_supplicant docs really hard to understand. I have read
> >>>>> through your response a few times and am still a bit confused. Does
> >>>>> this have to do with a pure wpa3 versus a wpa2/3 AP?
> >>>>
> >>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
> >>>>
> >>>>> I have tried editing my hostapd.conf and my wpa_supplicant.conf and
> >>>>> still cannot get a connection, so I must be doing something wrong.
> >>>>> I commented the ieee80211w line on both and it would not connect.
> >>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
> >>>>> it still would not connect.
> >>>>>
> >>>>> What *should* the configurations be in the hostapd.conf and
> >>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
> >>>>> should it be to be a wpa2/3 setup? My phone worked fine to connect
> >>>>> with the original hostapd setup, but I have no idea what it is doing
> >>>>
> >>>> As I mentioned in my previous email both config files listed above look
> >>>> okay to me (might be wrong though). The problem seems to be with
> >>>> wpas_is_sae_avoided(). For it to return true the config should have:
> >>>>
> >>>> sae_check_mfp=1
> >>>>
> >>>> But you don't have that and default is 0 so it should check for MFP. This
> >>>> is where my trail ends. To learn more I would add additional debug prints.
> >>>> Are you comfortable rebuilding wpa_supplicant from source?
> >>>>
> >>>> Regards,
> >>>> Arend
> >>>
> >>> Arend,
> >>>
> >>> Thanks for the reply. I could try to rebuild wpa_supplicant from
> >>> source. This is on RPi, so debian *.debs which are a pain, but I think
> >>> I can do it.
> >>>
> >>> Do I understand correctly that 'sae_check_mfp=1' is supposed to be in
> >>> the hostapd.conf and wpa_supplicant.conf? I can try that and see if
> >>> anything changes.
> >>
> >> Ok. We can try first to put following in wpa_supplicant.conf:
> >>
> >> sae_check_mfp=0
> >>
> >> Let me know if that makes any difference.
> >>
> >>> Why would I have to re-build wpa_supplicant?
> >>
> >> I would provide a patch with additional debug prints so I get better
> >> understanding what is going wrong. Would be great if you can apply that and
> >> rebuild.
> >>
> >> Regards,
> >> Arend
> > Arend,
> >
> > I was able to try it this afternoon.
> > My hostapd is still:
> > # interface and driver
> > interface=ap0
> > driver=nl80211
> >
> > # WIFI-Config
> > ssid=deskSAE
> > channel=1
> > hw_mode=g
> >
> > wpa=2
> > wpa_key_mgmt=SAE
> > wpa_pairwise=CCMP
> > sae_password=secret123
> > sae_groups=19
> > ieee80211w=2
> > sae_pwe=0
> >
> > and I can still connect from my phone to this AP.
> >
> > I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> > update_config=1
> > network={
> > ssid="deskSAE"
> > sae_password="secret123"
> > proto=RSN
> > key_mgmt=SAE
> > pairwise=CCMP
> > ieee80211w=2
> > sae_check_mfp=1
> > }
> >
> > and when I try to connect, I get:
> > # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > Successfully initialized wpa_supplicant
> > Line 10: unknown network field 'sae_check_mfp'.
> > Line 11: failed to parse network block.
>
> Right. The setting sae_check_mfp is a global setting like update_config. So
> it should be moved outside the network block.
>
> Regards,
> Arend
>
Arend,
Thanks for the hand holding, I am out of my depth here!
I tried this config and get a similar result.
ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
update_config=1
sae_check_mfp=1
network={
ssid="deskSAE"
sae_password="secret123"
proto=RSN
key_mgmt=SAE
pairwise=CCMP
ieee80211w=2
}
# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
Successfully initialized wpa_supplicant
Line 3: unknown global field 'sae_check_mfp=1'.
Line 3: Invalid configuration line 'sae_check_mfp=1'.
Failed to read or parse configuration
'/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
: CTRL-EVENT-DSCP-POLICY clear_all
seems it doesn't recognize this parameter.
Keith
More information about the Hostap
mailing list